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Abstract 



Online trading invariably involves dealings between strangers, so it is important for one party to be able 
Q . to judge objectively the trustworthiness of the other. In such a setting, the decision to trust a user may 

O \ sensibly be based on that user's past behaviour. We introduce a specification language based on linear 

temporal logic for expressing a policy for categorising the behaviour patterns of a user depending on its 
■ transaction history. We also present an algorithm for checking whether the transaction history obeys the 

stated policy. To be useful in a real setting, such a language should allow one to express realistic policies 
which may involve parameter quantification and quantitative or statistical patterns. We introduce several 
extensions of linear temporal logic to cater for such needs: a restricted form of universal and existential 
quantification; arbitrary computable functions and relations in the term language; and a "counting" 
quantifier for counting how many times a formula holds in the past. We then show that model checking 
a transaction history against a policy, which we call the history-based transaction monitoring problem, is 
PSPACE-complete in the size of the policy formula and the length of the history. The problem becomes 
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Q , decidable in polynomial time when the policies are fixed. We also consider the problem of transaction 

monitoring in the case where not all the parameters of actions are observable. We formulate two such 
"partial observability" monitoring problems, and show their decidability under certain restrictions. 
> ■ 
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^ ! 1 Introduction 
O . 

0\ , Internet mediated trading is now a common way of exchanging goods and services between 
parties who may not have engaged in transactions with each other before. The decision of a 
seller/buyer to engage in a transaction is usually based on the "reputation" of the other party, 
^ ■ which is often provided via the online trading system itself. These so-called reputation systems 
can take the form of numerical ratings, which can be computed based on feedback from users 
(cf. [9] for a survey of reputation systems) While many reputation systems used in practice seem 
to serve their purposes, they are not without problems (cf. [9]) and can be too simplistic in some 
cases. For example, in eBay.com, the rating of a seller/buyer consists of two components: the 
number of positive feedbacks she gets, and the number of negative feedbacks. A seller with, 
say 90 positive feedbacks and 1 negative feedback may be considered trustworthy by some. But 
one may want to correlate a feedback with the monetary value of the transaction by checking if 
the one negative feedback was for a very expensive item, or one may want to check other more 
general relations between different parameters of past transactions. 

Here, we consider an alternative (and complementary) method to describe the reputation of a 
seller/buyer, by specifying explicitly what constitutes a "good" and a "bad" seller/buyer based 
on the observed patterns of past transactions. More specifically, we introduce a formal language 
based on linear temporal logic for encoding the desired patterns of behaviours, and a mecha- 
nism for checking these patterns against a concrete history of transactions. The latter is often 



referred to as the monitoring problem since the behaviour of users is being monitored, but here, 
it is just a specific instance of model checking for temporal logic. The patterns of behaviours, 
described in the logical language, serve as a concise description of the policies for the user on 
whether to engage with a particular seller/buyer. The approach we follow here is essentially an 
instance of history-based access control (see e^., [@,[8i, 3,12. 11. S])- More precisely, our work 



is closely related to that of Krukow et al. llllL ll2n. 



There are two main ideas underlying the design of our language: 

Transactions vs. individual actions: Following Krukow et al., we are mainly interested in ex- 
pressing properties about transactions seen as a logically connected grouping of actions, for 
example because they may represent a run of a protocol. A history in our setting is a list 
of such transactions. This is in contrast to the more traditional notion of history as a list of 
individual actions (i.e., a trace), e.g., as in [@, [sl], which is common in monitoring program 
execution. 

Closed world assumption: The main idea underlying the design of our quantified policies is 
that a policy should only express properties of objects which are observed in the history. For 
example, in monitoring a typical online transaction, it makes sense to talk about properties 
that involve "all the payments that have been made". Thus, if we consider a formalisation of 
events using predicates, where pa?/(100) denotes the payment of 100 dollars (say), then we 
can specify a policy like the one below left which states that all payments must obey ^: 

Vx. pay{x) ip{x) Wx. -^pay{x) ip{x) 

However, it makes less sense to talk about "for all dollar amounts that a seller did not pay", 
like the policy above right, since this involves infinitely many possibility (e.g., the seller paid 
100, but did not pay 110, did not pay 111, etc.). We therefore restrict our quantification in 
policies to have a "positive guard", guaranteeing that we always quantify over the finitely 
many values that have already been observed in the history. 
An important consequence of the closed world assumption is that we can only describe relations 
between known individual objects. Thus we can enrich our logical language with computable 
functions over these objects and computable relations between these objects without losing 
decidability of the model checking problem. One such useful extension is arithmetic, which 
allows one to describe constraints on various quantities and values of transactions. 



Our base language for describing policies is the pure past fragment of linear temporal logic nl4\ 



since it has been used quite extensively by others iiHlE. 11, 1] for similar purposes. However, 
the following points distinguish our work from related work in the literature: 

• We believe our work is the first to incorporate both quantified policies and computable func- 
tions/relations within the same logic. Combining unrestricted quantifiers with arbitrary com- 
putable functions easily leads to undecidability (see Section 7). 

• We extend temporal logic with a "counting quantifier", which counts how many times a 



policy has been satisfied in the past. A similar counting mechanism was proposed in [|lll. ll2|] 
as a part of a meta-policy language. But in our work, it is a part of the same logic. 
We consider new monitoring problems based on a notion of partial observability which seem 
to arise quite naturally in online trading platforms where a user (or a system provider) cannot 
directly observe all parameters of an action. For instance, in eBay, it may not be always 
possible to observe whether payments have been made, or it may be possible to observe a 
payment but not the exact amount paid. We model unobservable parameters in an action as 
variables representing unknown values. Given a policy and a history containing unknown 
parameters, we ask whether the policy is satisfied under some substitution of the variables 
(the potential satisfiability problem), or under all substitutions (the adherence problem). 
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The rest of the paper is organised as follows. Section 2 introduces our policy language PTLTL 
for "past time linear temporal logic with first-order (guarded) quantifiers", and defines its se- 
mantics. Section 3 presents some examples using PTLTL^'^ for specifying access control 
policies. Two examples are formalisations of known security policies, which are trace-based in 
the sense that the histories are just traces, and that go beyond the scope of online trading sys- 
tems alone. The third example shows a transaction-based policy as it can be used for eBay.com 
type of systems. Section 4 considers the model checking problem for PTLTL^^ which we 
show to be PSPACE-complete, even if we restrict it to what we call trace-like histories. Fixing 
the policies reduces the complexity to ptime. Section 5 presents an extension of PTLTL^'^ 
with a counting quantifier allowing us to express that a policy depends on the number of times 
another policy was satisfied in the past. The model checking problem for this extension remains 
PSPACE-complete. In Section 6, we consider more general (undecidable) monitoring problems 
where not all the parameters of an action can be observed. By restricting the class of allowed 
functions and relations, we can obtain decidability of both the potential satisfiability and adher- 
ence problems, for example, when the term language of the logic is restricted to linear arith- 
metic. Section 7 discusses possible decidable extensions to the guarded quantifiers. Section 8 
concludes the paper and discusses related work. Detailed proofs are given in the Appendix. 



2 The policy language: definitions and notation 

Since we are interested in the notion of history-based access control, our definition of history 
is a simplification of that of [!l2l]. A history is organised as a list of sessions. Each session is a 
finite set of events, or actions. Each event is represented by a predicate. A session represents a 
"world" in the sense of a Kripke semantics where the underlying frame is linear and discrete. 
The term structures of our policy language are made up of variables and interpreted multi- 
sorted function symbols. Function symbols of zero arity are called constants. Terms are ranged 
over by s, t, u. Variables of the language, denoted by x, y, z, range over certain domains, such 
as strings, integers, or other finite domains. We call these domains base types or simply types. 
We assume a distinguished type prop which denotes the set of propositions of the logic, and 
which must not be used in the types of the function symbols and variables. That is, we do not 
allow logical formulae to appear at the term level. Function symbols and variables are typed. 
We assume an interpretation where distinct constants of the same type map to distinct elements 
of the type. We shall use the same symbol, say a, to refer both to an element of some type 
r and the constant representing this element. Function symbols of one or more arities admit 
a fixed interpretation, which can be any total recursive function. We shall assume the usual 
function symbols for arithmetic, +, — , x, etc., with the standard interpretations. The language 
we are about to define is open to additional interpreted function symbols, e.g., string related 
operations, etc. We shall use /, g, h to range over function symbols of arity one or more, and 
a, 6, c, d to range over constants. We also assume a set of interpreted relations, in particular, 
those for arithmetic, e.g., <, =, >, etc. These interpreted relations are ranged over by R. All 
the interpreted functions and relations have first-order types, i.e., their types are of the form 

Ti X ■ ■ • X r„ ^ r 

where r and ri, . . . , r„ are base types. We shall restrict to computable relations R. Of course, 
there is also the (rigidity) assumption that the function /, constant c and relation R have the 
same fixed interpretation over all worlds. 

Since our term language contains interpreted symbols, we assume that there is a procedure 
for evaluating terms into values. We also assume that each term can be evaluated to a unique 
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{h,i) \=p{ti, ...,tn) iff I, ■ ■ ■ ,tn I) e hi 
{h, i) 1= R{t,, Q iff Rih [,..., tr, I) is true 
{h, i) 1= A il)2 iff {h, i) |= ipi and (/i, i) |= ip2 
(/i,0|=-^iff(/i,0 

(/i, i) 1= X- V iff i > 1 and {h,i-l)^i) 

{h, i) 1= V^i S ^2 iff there exists j < i such that [h, j) \= 11)2 and 

for all k, if j < k <i then {h, k) |= -01 
(/i, i) h V(xi, . . . , :p.il) iff for all Ci, . . . , c„, if p(ci, . . . , c„) e /ij 

then (/i, i) ^ ^'[^^i := ci, . . . , := Cn]. 

Fig. 1. Semantics of PTLTL^'^ 

value. Given a term t, we shall denote with t I the unique value denoted by this term, e.g., if 
t = {2 + 3) then t l~ 5. Given an atomic formula p{ti, . . . , we shall write p{ti, . . . ,tn) i 
to denote p{ti J,, . . . , i„ J,). The policy language is given by the following grammar: 

ijj ::= p{ti, ...,tm) I R(ti, . . . ,tn) \ ip Alp \ \ X" V I V' S V' I V(a;i, . . . , Xn) : p. V'. 

In the quantified formula V(xi, . . . , : p. ijj, where n > 1, the symbol p is an n-ary pred- 
icate of type Ti X • • • X r„ — > prop, and each is of type r,. The intended interpretation of 
this quantification is that the predicate p defines a subtype of ti x • • • x t„, which is deter- 
mined by the occurrence of p in the world (session) in which the formula resides. For exam- 
ple, in a world consisting of {p{l, l),p{l, 2),p(l, 3), (7(4)} the predicate p represents the set 
{(1, 1), (1, 2), (1, 3)}, i.e., a subset of x A^. We shall often abbreviate y{xi, . . . , a;„) : p. ip 
as simply \/x : p.ip when the exact arity and the information about each Xi is not important or 
can be inferred from context. The notions of free and bound variables are defined as usual. A 
formula is closed if it has no occurrences of free variables. 

Definition 1 An event (or an action) is a predicate p{ci, . . . , c„) where each Ci is a constant 
and p is an uninterpreted predicate symbol. A session is a finite set of events. A history is a 

finite list of sessions. 

A standard definition for the semantics of first-order logic uses a mapping of free variables in a 
formula to elements of the types of the variables. To simplify the semantics, we shall consider 
only closed formulae. The semantics for quantified statements is then defined by closing these 
statements under variable mappings. We use the notation a and 6 to range over partial maps 
from variables to elements of types. We usually enumerate them as, e.g., \xi := ai, . . . , x^ :~ 
ttn] ■ Since we identify a constant with the element represented by that constant, a variable map- 
ping is both a semantic and a syntactic concept. The latter means that we can view a variable 
mapping as a substitution. Given a formula ip and variable mapping a, we write ipa to denote 
a formula resulting from replacing each free variable x in 'dj with the constant a{x). From now 
on, we shall use the term variable mapping and substitution interchangeably. 
The semantic judgement that we are interested in is of the form {h, i) |= ip, where /i is a history, 
i is an index referring to the i-fh session in h, and is a closed formula. The judgement reads 
"V' is true at the i-fh world in the history K\ We denote with the length of h, and with hi the 
i-th element of h when i < \h\. 

Definition 2 The forcing relation (h, i) |= ip, where h is a history, i an integer, and ip a formula, 
is defined inductively as shown in Figure 1 where 1 < i < \h\. We denote with h \= ip the 
relation {h, \h\) \= tp. The boolean connectives V (disjunction) and — > (implication) are defined 
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in the standard way using negation and conjunction. We derive the operators Y^^tp = T S 
("sometime in the past"), and G^^f = -iF"^(-i(y9) ("always in the past"), where T ("true") 
is short for p V -ip. 

Note that allowing unrestricted quantifiers can cause model checking to become undecidable, 
depending on the interpreted functions and relations. For example, if we allow arbitrary arith- 
metic expressions in the term language, then we can express solvability of Diophantine equa- 
tions, which is undecidable lisl Chapter 5]. 

3 Some example policies 

Let us now examine some example policies known from the literature, and our means of ex- 
pressing them concisely and accurately. We also examine some policies from applications other 
than monitoring users in online trading systems to demonstrate that our language can model the 
requirements of other related domains as well if they can be expressed as trace-based properties. 
One-out-of-k policy. The one-out-of-k policy as described in [6] concerns the monitoring of 
web-based applications. More specifically, it concerns monitoring three specific situations: con- 
nection to a remote site, opening local files, and creating subprocesses. We model this as fol- 
lows, with the set of events being 

open{file, mode): request to open the file file in mode, mode, where file is a string contain- 
ing the absolute path, and mode can be either ro (for read-only) or rw (for read- write). There 
can be other modes but for simplicity we assume just these two; 

read/ write/ create{ file): request to read/write/create a file; 

connect: request to open a socket (to a site which is irrelevant for now); 

subproc: request to create a subprocess. 

We assume some operators for string manipulation: the function path{file) which returns the 
absolute path to the directory in which the file resides, and the equality predicate = on strings. 
The history in this setting is restricted to one in which everysession is a singleton set. We now 
show how to encode one of the policies as described in ^: allow a program to open local 
files in user-specified directories for modifications if and only if it has created them, and it has 
neither tried to connect to a remote site nor tried to create a sub-process. Suppose that we allow 
only one user-specified directory called "Document". Then this policy can be expressed as: 

V(x,m) : open.m = rw ^ [ path{x) = "Document" A F^-*^ create{x) A 

-iF~^ connect A -iF^^ subproc]. 

Chinese wall policy. The Chinese wall policy ['s'] is a common access control policy used in 
financial markets for managing conflicts of interests. In this setting, each object for which 
access is requested, is classified as belonging to a company dataset, which in turn belongs 
to a conflict of interest class. The idea is that a user (or subject) that accessed an object that 
belonged to a company A in the past will not be allowed to access another object that belongs 
to a company B which is in the same conflict of interest class as A. 

To model this policy, we assume the following finite sets: U for users, O for objects, D for 
company datasets, and C for the names of the conflict of interest class. The event we shall 
be concerned with is access of an object o by a user u. We shall assume that this event carries 
information about the company dataset to which the object belongs, and the name of the conflict 
of interest class to which the company dataset belongs. That is, access is of type U x O x D x 
C prop. A history in this case is a sequence of singleton sets containing the access event. 
The policy, as given in [H], specifies among others that 
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"access is only granted if the object requested: 

(1) is in the same company dataset as an object already accessed by that subject, or 

(2) belongs to an entirely different conflict of interest class." 

Implicit in this description is that first access (i.e., no prior history) is always allowed. We can 
model the case where no prior history exists simply using the formula -iX^^T. This policy can 
be expressed in our language as follows: 

V(s, u, d, c) : access. -iX^-'^T V 

(X-ip-i 3{s', u', d', c') : access, s = s' A d = d') W 
(X-iQ-i V(s', u', d', c') : access, s = s' ^{c = c')). 

eBay.com. In this example, we consider a scenario where a potential buyer wants to engage in 
a bidding process on an online trading system like eBay.com, but the buyer wants to impose 
some criteria on what kind of sellers she trusts. A simple policy would be something like "only 
deal with a seller who was never late in delivery of items". In this model, a session in a history 
represents a complete exchange between buyer and seller, e.g., the bidding process, winning 
the bid, payment, confirmation of payment, delivery of items, confirmation of delivery, and the 
feedbacks. We consider the following events (we are considering the history of a seller): 
win{X, V): the bidder won the bid for item X for value V. 

pay{T, X, V): payment of the item X at date T of the sum V (numerical value of dollars). 
post{X, T): the item X is delivered within T days.0 

negative, neutral, positive: represents, respectively, negative, neutral and positive feedbacks. 
There are of course other actions and parameters that we can formalise, but these are sufficient 
for an illustration. Now, suppose the buyer sets a criterion such that a posting delay greater than 
10 days after payment is unacceptable. This can be expressed simply as: 

G"^ \i{t,x,v) : pay. 3{y,t') : post. x = yAt'<10]. (1) 

Of course, for such a simple purpose, one can rely on eBay's rating system, which basically 
computes the number of feedbacks in each category (positive, neutral and negative). However, 
the seller's rating may sometimes be too coarse a description of a seller's reputation. For in- 
stance, one is probably willing to trust a seller with some negative feedbacks, as long as those 
feedbacks refer to transactions involving only small values. A buyer can specify that she would 
trust a seller who never received negative feedbacks for transactions above a certain value, say, 
200 dollars. This can be specified as follows: G"^ [V(t, x, v) : pay. v > 200 -^negative]. 

4 Model checking PTLTL^^ 

Let us now consider the model checking problem for PTLTL^'^, i.e., deciding whether h \= Lp 
holds. We shall see that the model checking problem is PSPACE-complete, even in the purely 
logical case, i.e., the case where no interpreted functions or relations occur in the formula. 
We prove the complexity of our model checking problem via a terminating recursive algorithm. 
The algorithm is presented abstractly via a set of rules which successively transform a triple 
{h, i, Lf) of a history, an index and a formula, and return a truth value of either t or f to indicate 
that {h, i) 1= (f (resp. (h, i) ^ (/?). We write (/i, i^ip) \!y v to denote this relation and overload 
the logical connectives A, V and -i to denote operations on boolean values, e.g., t A t = t, etc. 

^ Note that in the actual eBay system, no concrete number of days is given, but instead buyers can rate 
the time for posting and handling in the feedback forums in a range of 1 to 5. 
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, , if p{i)i G hi then v := i else v := f if R{t)l is true then v := i else f := f 



{h,i,(p(ti)) ij^vi ••• (/i,z,v?(r„)) 4 



(V) 



where {(/?(ri), • ■ • , ^{tn)} = {v{x) \ p{x) G hi} 



^ ^ (/^,^,V'lS^2) ^^^2 V At;3) 



Fig. 2. Evaluation rules for deciding whether {h, i) \= Lp. 



Since V'l S ^"2 = ^"2 V (z/^i A X S V'2)), we shall use the following semantic clause for 
^1 S V^2 which is equivalent to the original one: 

(/i, i) 1= S?/'2 iff (/i, i) 1= ^/'2 or [(/;,, i) |= t/)! and z > 1 and {h, i — 1) |= S ^'2]- 

The rules for the evaluation judgement are given in Figure 2. To evaluate the truth value of 
(/;,, i, yj), we start with the judgement (/i, z, Jj. i; where v is still unknown. We then succes- 
sively apply the transformation rules bottom up, according to the main connective of (/? and the 
index i. Each transformation step will create n-child nodes with n unknown values. Only at 
the base case (i.e., id, R, or X^^^) the value of v is explicitly computed and passed back to the 
parent nodes. A run of this algorithm can be presented as a tree whose nodes are the evalua- 
tion judgements which are related by the transformation rules. A straightforward simultaneous 
induction on the derivation tree of the evaluation judgements yields: 

Lemma 3 The judgement {h, J| / is derivable if and only if{h, i) \= (f and the judgement 
{h, i, if) Ij-f is derivable if and only if{h, i) ^ (p. 

Theorem 4 Let (f be a PTLTL^^ formula and h a history. If the interpreted functions and 
relations in if are in PSPACE, then deciding whether h \= ip holds is PSPACE-complete. 
Although the model checking problem is PSPACE-complete, in practice, one often has a fixed 
policy formula which is evaluated against different histories. Then, it makes sense to ask about 
the complexity of the model checking problem with respect to the size of histories only (while 
restricting ourselves to interpreted functions and relations computable in polynomial time). 
Theorem 5 The decision problem for h \= (f, where (f is fixed, is solvable in polynomial time. 
An easy explanation for the above hardness result is via a polynomial time encoding of the 
PSPACE-complete QBE-problem (cf. [|l6ll and Appendix). Given a boolean expression like 
E{xi,X2,X3) = (xiV-'X2)A(-iX2Vx3) and the QBE-formula F = Va;i. 3x2. VX3. E{xi,X2,Xs), 
we can construct a corresponding PTLTL^'^-formula, ip = Vxi : pi. 3x2 '■ P2- Vxs : 
Ps. E'{xi,X2, X3) where E'{xi,X2, x^) = {true{xi)\J-'true{x2))/\{^true{x2)ytrue{xz)), and 



7 



a history, h below, representing all possible interpretations of F's variables in a single session: 

h = {pi(0),pi(l),p2(0),P2(l),P3(0),P3(l),t™e(l)}. 

It is then easy to see that F evaluates to T if and only if h \= (p holds. Thus solving our general 
model checking problem, like QBF, may require time exponential in the number of quantifiers. 
On the surface it seems that this "blow up" is caused by the multiple occurrences of the same 
predicate symbol in a single session. It is therefore natural to ask whether the complexity of 
the problem can be reduced if we consider histories where every predicate symbol can occur at 
most once in every session. Surprisingly, however, even with this restriction, model checking 
remains PSPACE-complete. Consider, for example, the following polynomial encoding of the 
above QBF-instance, using this restriction: 

{P3(0), true{l)}; {p3{l),true{l)}; . . . ; {pi(0), t™e(l)}; {p,{l) , true{l)} h 
G"^ Vxi : pi. F-^3x2 : P2- Vxa : ^3. E'{xi, X2, X3)). 

Definition 6 A history h is said to be trace-like if for all i such that 1 < i < \h\, for all p, t and 

s, ifp{i) G hi andp{s) G hi, then t = s. 

Theorem 7 Let ip be a PTLTL^^ formula and h a trace-like history. If the interpreted func- 
tions and relations in ip are in PSPACE, then deciding whether h \= ip holds is PSPACE-complete. 

Implementation. We have implemented the above in terms of a prototypic model checker for 
PTLTL^^, which can be freely downloaded and evaluated at http://code.google.COm/p/ptltl- 
mc/. The model checker primarily accepts two user inputs: a PTLTL^'^ policy and a history 
which is then checked against the policy. We use FOL-RuleML [0] as the input format for the 
policy since it is due for standardisation as the W3C's first-order logic extension to RuleML 
imi. Thus users can even specify policies using graphical XML-editors with a FOL-RuleML 
DTD extended by our temporal operators. 

Our model checker is currently not optimised for performance, but it demonstrates the feasibil- 
ity and practicality of our approach to tackling these problems, as its main algorithm is based 
directly on the rules from Figure 2. The above web site contains Ocaml source code (as well as 
a statically linked binary for Linux) and some example policies from Section 3 in XML-format. 

5 Extending PTLTL^^ with a counting quantifier 

We now consider an extension of our policy language with a counting quantifier. The idea is 
that we want to count how many times a policy was satisfied in the past, and use this number 
to write another policy. 

The language of formulae is extended with the construct Nx : i}). where x binds over the 
formula (j){x) and is not free in ij). The semantics of this formula is as follows: 

{h, i) \= Nx : if). (t){x) iff i) |= (l){n), where n = \{j \ \ < j < i and {h,j) \= 
Krukow et al. also consider a counting operator, 7^, which applies to a formula. Intuitively, 
^ij) counts the number of sessions in which if) is true, and can be used inside other arithmetic 
expressions like ^^/^ < 5. The advantage of our approach is that we can still maintain a total 
separation of these arithmetic expressions and other underlying computable functions from the 
logic, thus allowing us to modularly extend these functions. Another notable difference is that 
our extension resides in the logic itself, instead of a separate "meta" policy language like theirs. 
Examples: For example, we show how to state a "meta" policy such as: "engage only with 
a seller whose past transactions with negative feedbacks constitute at most a quarter of the 
total transactions". This can be expressed succinctly by the following formula since : T 
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instantiates y to be the length of the transaction history to date: 

X 1 

Nx : negative. : T. — < -. 

y 4 

A more elaborate example is the formula in Equation 1 without the -operator: 

ip = V(t, X, v) : pay. 3(?/, t') : post, x = y At' < 10. 

Then one can specify a policy that demands that "the seller's delivery is mostly on-time", where 
mostly can be given as a percentage, such as 90%, via: 

Nx : t/". : T. - < 0.9. 

y 

The proof of the theorem below is a straightforward extension of the proof of Theorem 4. 
Theorem 8 Assuming that the interpreted functions and relations are in PSPACE, the model 
checking problem for PTLTL^^ extended with the counting quantifier is PSPACE-complete. 

6 Partial observability 

In some online transaction systems, like eBay, certain events may not be wholly observable all 
the time, even to the system providers, e.g., payments made through a third-party outside the 
control of the provider. We consider scenarios where some information is missing from the 
history of a client (buyer or seller) and the problem of enforcing security policies in this setting. 
Examples: Consider the policy ijj = [V(x, v) : win.3{t, y, u) : pay.x = y Av = u] which 
states that every winning bid must be paid with the agreed dollar amount. The history below, 
where X represents an unknown amount, can potentially satisfy tp when X = 100 (say): 

h = {win{a, 100),pay{l, a, 100), post{a, 5)}; 

{win{a, 100), pay {2, a, X),post{a, 4) , positive} 

Of course it is also possible that the actual amount paid is less than 100, in which case the 
policy is not satisfied. There are also cases in which the values of the unknowns do not matter. 
For instance, a system provider may not be able to verify payments, but it may deduce that if a 
buyer leaves a positive remark, that payment has been made. That is, a policy like the following: 

if' = G^^ [V(x, v) : win.3{t, y, u) : pay.x = y A {u = v \/ positive)] 

which checks that a payment was made and it was made for exactly the same amount as the 
winning bid, or the transaction is concluded with a positive feedback (which presumably means 
everything is fine). In this case, we see that h still satisfies cp' under all substitutions for X. 
We consider two problems arising from partial observability. For this, we extend slightly the 
notion of history and sessions. 

Definition 9 A partially observable session, or po- session /or short, is a finite set of predicates 
oftJieform p{ui, . . . , Un), where p is an uninterpreted predicate symbol and each ui is either a 
constant or a variable. A partially observable history (po-historyj is a finite list of po-sessions. 
Given a po-history h, we denote with V{h) the set of variables occurring in h. 
Definition 10 Given a po-history h, a natural number i, and a closed formula ip, we say that h 



eBay asks the user for confirmation of payment, but does not check whether the payment goes 
through. In our simplified account, this is modelled by an unknown amount in the payment parame- 
ters. 
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potentially satisfies ip at i, written {h, i) h ip, if there exists a substitution a such that dom{a) = 
V{h) and {ha, i) \= tp. We say that h adheres to ip at i, written {h, i) Ih ip, if {ha, i) \= ip for all 
a such that dom{a) = V{h). 

Notice that the adherence problem is just the dual of the potential satisfiability problem. That 
is, {h, i) Ih ip ii and only if {h, i) \f -i^. In general the potential satisfiability problem is un- 
decidable, since one can easily encode solvability of general Diophantine equations, which is 
known to be undecidable. To see this, let us suppose that the term language of the logic in- 
cludes standard arithmetic operators (including exponentiation). Then we can express directly 
any Diophantine equations within our term language. Let us denote with D{x\,..., x„) a set 
of Diophantine equations whose variables are among x\, . . . , x„. Assume that we have n unin- 
terpreted unary predicate symbols Pi, - ■ ■ ,Pn which take an integer argument. Then solvability 
of DC ) is reducible to the satisfiability problem 

{pi{Xi), . . .,Pn{Xn)} \- 3xi : Pl. ■ ■ ■ 3Xn : Pn-i^{Xl, ■ ■ ■ , Xn) 

where ij{xi, . . . , a;„) is the conjunction of all the equations in D{xi, . . . , So obviously 
decidability of the potential satisfiability problem is dependent on the term language of the 
logic. We consider here the decidability problem for the case where the term language is the 
language of linear arithmetic over integers, i.e., terms of the form (modulo associativity and 
commutativity of +): kiXi + ■ ■ ■ + knXn + c, where c and each ki are integers. We also assume 
the standard relations on integers =, > and < . It is useful to introduce a class of constraint 
formulae generated from the following grammar: 

C ::= T I ± I ti = t2 I < ^2 I > ^2 I Ci A C2 I Ci V C2 I -C. 

We say that a constraint C is satisfiable if there exists a substitution a such that Ccx is true. 
Satisfiability of constraint formulae is decidable (see [10] for a list of algorithms). The decid- 
ability proof of the potential satisfiability problem involves a transformation of the judgement 
{h, ip into an equivalent constraint formula. 

Theorem 11 The potential satisfiability problem and the adherence problem for PTLTL^'^ 
with linear arithmetic are decidable. 

We note that the transformation of the potential satisfiability problem to constraints formulae 
used in the proof of Theorem 1 1 may result in an exponential blow-up. But if we fix the formula, 
we may be able to obtain a polynomial translation, in the size of the history. We leave the details 
of this and other restrictions to future work. 

7 Extended guarded quantifiers 

As we have mentioned in the introduction, an underlying design principle for our quantified 
policies is the closed-world assumption (CWA). The guarded quantifier in PTLTL^^ is the 
most basic quantifier, and by no means the only one that enforces this CWA principle. It is 
a natural theoretical question to ask what other possible extensions achieve the same effect, 
although we have not so far seen the need for them in practice. 

We have mentioned earlier that introducing negation in the guard easily leads to undecidability. 
Surprisingly, simple extensions with unrestricted disjunction or the S -operator also lead to 
undecidability, as we shall see shortly. Let us first fix the language with extended guarded 
quantifiers. The syntax of quantified formulae is as follows: 

Vx : ip{x). ip{x) 3x : ip{x). ip{x). 

Here the formula ip{x) is a guard, and x are its only free variables. The semantics of the quan- 
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tifiers are a straightforward extension of that of PTLTL^^, i.e., 

{h, i) 1= V(a;i, . . . , a;„) : ^jJ{xl, . . . , a;„). iff 

for all ci, . . . , Cn, if {h, i) ^ -0(^1, then (/i, i) ^ (^[xi := ci, . . . , x„ := c„]. 

Now consider a guarded quantifier that allows unrestricted uses of disjunction. Suppose (^(x), 
where x range over integers, is a formula encoding some general Diophantine equation. Let 
^(x, y) be a guard formula V q{y), for some predicate p and g of appropriate types. Then 
satisfiability of the entailment 

{g(0)} h 3(f , y) : ip{x, y). ip{x) 

is equivalent to the validity of the first-order formula 3x. (p{x), which states the solvabil- 
ity of the Diophantine equations in (p{x). This means that the model checking problem for 
PTLTL^'^ with unrestricted disjunctive guards is undecidable. The cause of this undecidabil- 
ity is that satisfiability of the guard, relative to the history, is independent of the variables x. 
Similar observations can be made regarding the unrestricted uses of the "since" operator, e.g., 
if we replace the guard y) with p{x) S q{y), we get the same undecidability result. 
Another restriction that needs to be imposed on guarded quantifiers concerns the use of function 
symbols: their uses easily lead to a violation of CWA, and again, undecidability of model 
checking. For instance, in checking 

{p(0)} h V(a;, y) : p{x + y). (f{x, y) 

we have to consider infinitely many combinations of x and y such that x -\-y — Q. 
Based on the above considerations, we design the following guarded extensions to the quanti- 
fiers of PTLTL^'^. The language of guards are defined as follows. Simple guards are formulae 
generated by the following grammar: 

7 ::= p{u) I 7 A 7 I G""*^ 7 | F""*^ 7 

Here the list u is a list of variables and constants (no function symbols allowed). We write ^{x) 
to denote a simple guard whose only free variables are x. Positive guards G{x) over variables 
X are formulae whose only variables are x, as generated by the following grammar: 

G{x) ::= 7(f) | G{x) A G{x) \ G{x) V G{x) \ G'^ G{x) \ F-^G{x) \ G{x)SG{x). 

We denote with FT LT L^'^^ the language obtained by extending PTLTL^^ with positive 

guards. We show that the model checking problem for PTLTL^*^^ is decidable. The key 

lemma to this is the finiteness of the set of "solutions" for a guard formula. 

Definition 12 Let G{x) he a positive guard and let h be a history. The guard instantiation 

problem, written {h, G{xj), is the problem of finding a list u of constants such that h |= G{u) 

holds. Such a list is called a solution of the guard instantiation problem. 

Lemma 13 Let G{x) be a positive guard over variables x and let h be a history. Then the set 

of solutions for the problem {h, G{x)) is finite. Moreover, every solution uses only constants 

that appear in h. 

PROOF. By induction on the size of G{x) and by definition of the forcing relation. □ 

Theorem 14 Let ip be a PTLTL^'^'^ formula and h a history. The model checking problem 

h \= ip is decidable. 

PROOF. The proof follows the same structure as the decidability proof for PTLTL^'^, using 
Lemma 13 for the quantifier cases. □ 
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8 Conclusions and related work 



We have presented a formal language for expressing history-based access control policies based 
on the pure past fragment of linear temporal logic, extended to allow certain guarded quanti- 
fiers and arbitrary computable functions and relations. As our examples show, these extensions 
allow us to write complex policies concisely, while retaining decidability of model checking. 
Adding a counting quantifier allows us to express some statistical "meta" properties in policies. 
We also consider the monitoring problem in the presence of unobservable or unknown action 
parameters. We believe this is the first formulation of the problem in the context of monitoring 
There is much previous work in the related area of history-based access control [I6l.l8ll7l.l2. 11 



[3I]. As mentioned in the introduction, our transaction-based approach to defining policies sep- 
arates us from the more traditional trace-based approaches in program execution monitoring. 
Our work is closely related to Krukow, et al. [ | llL Il2|] . but there are a few important differ- 
ences. Their definition of sessions allows events to be partially ordered using event structures 
IitIi whereas our notion of a session as a set with no structure is simpler. For the application 
domains we are interested in, we see no need for sessions to have extra structure built into 
their semantics since such relations between events can be explicitly encoded in our set up 
using first-order quantifiers and a rich term language allowing extra parameters, interpreted 
functions, timestamps and arithmetic. In the first-order case, they forbid multiple occurrences 
of the same event in a session; roughly, their histories in this case correspond to our trace-like 
histories (see Section 4). Their language does not allow arbitrary computable functions and re- 
lations, since as we have seen, allowing these features in the presence of quantifiers can easily 
lead to undecidability of model checking. Our policy language is thus more expressive than 
theirs in describing quantitative properties of histories as we have also seen in some examples. 
Although we have a prototypic implementation for checking histories against policies of our 
language (cf. Section 4), we plan to address further implementation related issues like gener- 
ating more efficient monitors that operate online in the sense of [8] for past-time LTL. That 
is, when a given trace is extended by a new session, an efficient monitor makes a decision by 
merely processing the extension rather than the previous history as well as the extension. An- 
other interesting problem is how to reason about policies, whereby we can tell that a policy is 
subsumed by another, or when it is in conflict with another. This requires finding a proof system 
for our logic which is sound and complete for our particular models (as finite histories). 
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A Detailed proofs 

In the following, given a history h, we shall denote with s(h) the size of h, i.e., the number of 
symbols occuring in h. 

Lemma 15 The judgement {h, i.ip) J| ^ is derivable if and only if {h, i) |= (p. Similarly, the 
judgement {h, i, ip) is derivable if and only if{h, i) ^ ip. 

PROOF. Straightforward by induction on the derivation tree of the evaluation judgements and 
the inductive definition of the semantic judgement (/i, i) |= </?. □ 

Theorem 4 Let 99 be a PTLTL^^ formula and let /i be a history. If the interpreted functions 
and relations in Lp are in PSPACE, then the problem of deciding whether or not h \^ ip holds is 
PSPACE-complete. 

PROOF. To show membership in pspace, we use Lemma 3 and show that checking the deriv- 
ability of {h, \h\,p) JJ- v, where v is either t or f, can be done in pspace. Note that the trans- 
formation rules, reading them bottom- up, decrease the size of either the index \h\ ox the size 
of p, hence applying these transformations to the original judgement always terminates. More- 
over, the depth of any derivation tree for (/i, i,p) ^ v is bounded by -I- \p\. Note also that 
although the size of the derivation tree is exponential, one needs to check only one branch at a 
time. Therefore, to calculate the space requirement, we only need to calculate the space require- 
ment for each node, multiplied by the maximum depth of the derivation tree. At each node, we 
need to store the information about the child nodes that have not been visited, plus the values 
that have been computed for the child nodes that have been visited, which is a list of boolean 
values. Notice that the branching factor of each rule, except V, is at most 3, and for V, it is at 
most s{h). Therefore the branching factor of the rules is bounded by s{h) + 3, which means 
that the number of visited and not-yet- visited child nodes are also bounded by s{h) + 3. Each 
not-yet-visited child node takes up at most s{h) + \p\ space, since we need to store the history 
h and an immediate subformulae of p, and we need only to store the boolean value computed 
from each visited child node, which takes up a constant value (true or false), say h. Hence the 
space requirement for this model checking problem is at most 

(\h\ + \^\) X (s(/i) + 3) X {s{h) + \^\ + h) 
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which is polynomial in the size of h and (p. 

To show PSPACE-hardness, we reduce the problem of checking satisfiability of quantified boolean 
formula (QBF), which is known to be PSPACE complete, to our model checking problem. Let 
F = QiXi. Q2X2- ■ ■ ■ Qn^n- E{xi,X2, ■ ■ ■ , Xn) bc a wcU-formcd quantified Boolean formula 
(in prenex normal form), where E is a Boolean expression involving variables xi,X2, . ■ . , Xn, 



and Qi E {V, 3}. The QBF problem then asks if F evaluates to T (cf. lllql ). Notice F always 
evaluates to T or ± since there are no free variables in F. Let F be given as above, then we 
construct in polynomial time a PTLTL^^ formula 

= Qixi : pi. Q2X2 : P2- ■ ■ ■ QnXn ■ Pn- E{true{xi) ,true{x2) , • • • , true{xn)), 

and a history h = {{pi(0),pi(l),p2(0),P2(l), • • • ,Pn(0),p„(l), trMe(l)}}, where E uses the 
same Boolean connectives as in F. It is then easy to see that F evaluates to T if and only if 

h\=ip. □ 



Theorem 5 The decision problem for h |= (p, where (p is fixed, is solvable in polynomial time 
in the size of h. 



PROOF. Let the closure d{(p) of ip contain all m subformulae of ip, i.e., |c/(v9)| = m, where 
m is constant as p> is fixed. For example, if p> = G^^Vx : p3y : q. x > y, then d{p>) = 
{(99), (Va; : p.3y : q. x > y), {3y : q. x > y), {x > y)}. Then, to evaluate h \= pi, v/e first 
build a tree structure, similar to a syntax-tree, whose nodes correspond to the subformulae of 
ip and whose root node corresponds to cp. We attach to each node, in a bottom- up manner, a 
truth table containing the truth value of the subformula at the node, for all \h\ sessions of the 
history and under all possible substitutions for the (free) variables occurring in the subformula. 
Therefore, each table has \h\ rows (one for each session), and at most s{h)"^ columns (since 
there are at most m variables and each variable can range over at most s{h) values). We fill 
this table bottom up, from the first session and from the atomic subformulae. The base case 
with atomic subformulae are easy; we need either to evaluate the relation symbols (in case it 
is an interpreted atomic formula) or perform a look up in the history. In both cases, it takes at 
most polynomial time. By inspection of the semantics of PT LT L^'^ , it is clear that the truth 
value of a non-atomic formula depends on the truth value of its immediate subformulae, or on 
the same formula but at an earlier session. Thus to calculate the truth value of a non-leaf node 
at session i and under a substitution a, it is enough to perform table look up on its immediate 
child nodes, or on earlier entries in the same node. This requires at most linear time in the size 
of h. Therefore, to fill up a truth table at each node, we need at most polynomial time. Since 
there are m tables, the whole procedure takes at most polynomial time in the size of h. □ 

Theorem 7 Let Lp he a PTLTL^'-' formula and /i be a trace-like history. The problem of 
deciding whether or not h\= p) holds is PSPACE-complete in the size of ip. 

PROOF. It is sufficient to show PSPACE-hardness. As in the proof of Theorem 4, we will map 
in polynomial time the PSPACE-complete QBF-problem to the given one, and show that the 
answer to the QBF-problem is T if and only ifh\=p) holds for carefully constructed h and ip. 
Let F = QiXi QnXn- E{xi, . . . , x„) be a QBF-problem defined as above. Then, we con- 
struct a formula using the same connectives as in E, 

p) = TiQiXi : pi TnQnXn ■ Pn- E{true{xi), . . . , true{xn)), 
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where Tj is a temporal operator, and we have Ti — G ^ if = V, and Ti — F ^ if Qi — 3. 
Furthermore, we construct a history 

h = {{pniO),trueil)}{pnil), true{l)}, {pi(0), ir^/e(l)}, {pi(l), tr^e(l)}}, 

where we separate different truth values in different sessions to preserve the trace-like structure. 
To still be able to select different truth values for different predicates, we use temporal operators 
instead. So, if h \^ (p holds, then the operator ensures that both interpretations of the 
corresponding predicate evaluate F to T, whereas F^^ ensures that one of the two possible 
interpretations of the corresponding predicate evaluate F to T. □ 

Theorem 8 Assuming that the interpreted functions and relations are in pspace, the model 
checking problem for PTLTL^^ extended with the counting quantifier is PSPACE-complete. 

PROOF. We need only to show membership in PSPACE. The proof follows the same outline 
as the proof of Theorem 4, but with the evaluation rule extended to deal with the counting 
quantifier: 

{h, i, Nx : ip.(fi(x)) JJ. V 

where n — E*^^/(i;j) and / is a function defined by /(t) = 1 and /(f) = 0. The branching 
factor of this rule is bounded by s{h) + 1. The rest of the proof proceeds as in the proof of 
Theorem 4. □ 

To prove Theorem 1 1, we consider a slightly more general problem (h, i) h ijj where ip can con- 
tain free variables, provided they occur in h. The potential satisfiability problem is generalised 
straightforwardly, i.e., (/i, i) ip iff there exists a substitution a such that dom{a) — V{h) 
and {ha, i) h il^a. In the following, given a finite set of formula S, we shall write y S to denote 
the disjunction of all the formulae in S. In the case where S is empty, V S denotes _L. Likewise, 
A S denotes the conjunction of the formulae in S and when S is empty, it denotes T. 
Lemma 16 For every h, i, and ip, there exists a constraint formula C such that {h, i) \-g ip if 
and only ifC is satisfiable. 

PROOF. We construct C by induction on tjj and i.lf i < 1 or i > \h\ then C = ±. Obviously, 
C is satisfiable iff {h, i) \-g i/j. We show some of the remaining cases here (the other cases are 
straightforward): 

(1) If ^jj is either ti = t2, ti < ^2 or > h then C = ip. 

(2) Suppose = p{ti, . . . ,tn)- Then 

C = \/{ui = ti A ■ ■ ■ AUn = tn \ p{ui, . . . ,Un) G hi}. 

(3) Suppose ^ = ^1 S ^2- By induction hypothesis (on the size of ip) we have 

(i) Ci such that {h, i) \rg ipi iff Ci is satisfiable, and 

(ii) C2 such that (/i, i) hg ^^2 iff C2 is satisfiable. 

If i = 1 then let C — C2. Otherwise, i > 1 and by induction hypothesis, we have C3 such 
that {h,i-l)^g tjji S ip2 iff C3 is satisfiable. In this case, let C = C2 V (Ci A C3). 

(4) Suppose 4' = V(a;i, . . . , a;„) : p.ip'{xi, . . . , a;„). By induction hypothesis, for each tuple 
u = . . . , Un), we have a such that (/i, i) \-g ip'{ui, . . . , Un) iff is satisfiable. 
Define C as follows: 

C = f\{C^ I p{ui, ...,Un)e hi}. 
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By inspecting the clauses of the forcing relation and the definition of {h, i) \-g ij;, it is straight- 
forward to check that in each case above C is satisfiable if and only if {h, i) \-g t/j. □ 
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